Futterman From United States, joined Sep 2003, 1301 posts, RR: 55 Posted (4 years 8 months 12 hours ago) and read 659 times:
Something's fiddling with my system registry and is giving me the Internet Explorer equivalent of the blue-screen-of-death: an about:blank homepage. Can't get rid of this and I just got over another virus a few weeks ago.
I've been able to find out that the culprit(s) are probably files by the name of ATLTL32.exe and knhoo.dll (used to be "zmtlw.dll" but I deleted it). I believe these file names change from case to case, so they're not necessairily all that useful in their own right.
I've run HijackThis, so here's my log. I replaced all the forward slashes with carats because the former doesn't show up in the final post for whatever reason...
Quote: Logfile of HijackThis v1.99.1
Scan saved at 3:34:46 PM, on 4/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
R1 - HKCU>Software>Microsoft>Internet Explorer>Main,Search Bar = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKCU>Software>Microsoft>Internet Explorer>Main,Search Page = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Default_Page_URL = about:blank
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Default_Search_URL = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Search Bar = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKLM>Software>Microsoft>Internet Explorer>Main,Search Page = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R0 - HKLM>Software>Microsoft>Internet Explorer>Search,SearchAssistant = res://C:>WINDOWS>knhoo.dll/sp.html#12345
R1 - HKCU>Software>Microsoft>Windows>CurrentVersion>Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:>program files>google>googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:>PROGRAM FILES>ADOBE>ACROBAT 6.0>READER>ACTIVEX>ACROIEHELPER.DLL
O2 - BHO: Class - {BB32FFA6-E089-668D-E5AD-954034F388EC} - C:>WINDOWS>SYSTEM>MFCYW32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:>WINDOWS>SYSTEM>MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:>program files>google>googletoolbar1.dll
O4 - HKLM>..>Run: [MSConfigReminder] C:>WINDOWS>SYSTEM>msconfig.exe /reminder
O4 - HKLM>..>Run: [IEKT32.EXE] C:>WINDOWS>IEKT32.EXE
O4 - HKLM>..>RunServices: [Retrospect Launcher] C:>PROGRAM FILES>DANTZ>RETROSPECT>RETRORUN.EXE
O4 - HKCU>..>Run: [AIM] C:>PROGRAM FILES>AIM>aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:>PROGRAM FILES>GOOGLE>GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:>PROGRA~1>MESSEN~1>MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:>PROGRA~1>MESSEN~1>MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:>PROGRAM FILES>AIM>AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
Reformatting is only a last resort, as I can definitely follow directions that will get rid of whatever this sonofabitch is. Please note that I'm using Windows ME.
Delta717 From United States, joined Mar 2000, 455 posts, RR: 1 Reply 1, posted (4 years 8 months 12 hours ago) and read 655 times:
Two words.
Mozilla Firefox.
Believe me...it works so well with getting rid of spyware. If Norton or HijackThis can't fix it, and you can't do anything else...start backing up your files and reformat your harddrive.
Futterman From United States, joined Sep 2003, 1301 posts, RR: 55 Reply 3, posted (4 years 8 months 11 hours ago) and read 645 times:
Delta, it's appreciated and all, but in no way, shape, or form is that going to resolve my current issue. Will consider it when it's all said and done.
Myt, what difference does it make? Millennium sucks, I know, but I'm not spending $400 for XP and all the bootleg copies tend to fall through. I live, and my OS isn't the problem here. Shit happens to anything, my computer or yours.
Maybe I didn't make this clear. I'm looking for tech help, not stupid wisecracks and irrelevant comments.
Catatonic From United Kingdom (Wales), joined Mar 2004, 1155 posts, RR: 6 Reply 4, posted (4 years 8 months 11 hours ago) and read 630 times:
Quoting Futterman (Reply 3): Myt, what difference does it make? Millennium sucks, I know, but I'm not spending $400 for XP and all the bootleg copies tend to fall through.
$400??? what planet are you living on? OEM version of XP Pro are about $180 all you have to do is buy a cheap mouse with it!
777DadandJr From United States, joined Feb 2005, 1506 posts, RR: 17 Reply 5, posted (4 years 8 months 11 hours ago) and read 627 times:
First of all, it's not truly a virus. It's a Trojan Worm. Unlikely you will get rid of it. Happened to me a while ago. You would need to know all the file that the worm dropped in order to eradicate it, and that is unlikely.
You are going to have to end up doing a reformat and clean install. These worms not only f*ck up your system, but they also will render anti virus software inoperable. It won't even allow you to connect to Norton or McAfee to download updates. It can also disable your System Restore feature and any spyware/adware programs you might have. These are very nasty buggers.
If you reformat, I suggest doing a few things afterwards.
Install Spyware Blaster, and Spybot. Update once a week and run them all the time. Install a good firewall program. Try Zone Alarm, it's free. Use a good anti virus software as well, and keep it updated. Also, get Norton Ghost. After you rebuild your system and install all your core apps, run Ghost and make an image of your hard drive in pristine condition. If this ever happens again, you can copy the drive image back and be up and running again in about an hour.
Sorry to hear about this. Good Luck
Russ
My glass is neither 1/2 empty nor 1/2 full, rather, the glass itself is twice as big as it should be.
Myt332 From United Kingdom (England), joined Sep 2003, 8737 posts, RR: 92 Reply 6, posted (4 years 8 months 11 hours ago) and read 622 times:
Futterman, you're right shit does happen and now it's happening to you. So here's what you do Jimmy. Cut your losses, go buy XP and do an over the top install. You don't lose your files (photos etc) and you have a more stable OS thus less crap. That's the difference ok?
Otherwise, rummage around around for your Millenium Edition CD ( a crapy version of 98) and extract the files you deleted. Or do a re install.
Futterman From United States, joined Sep 2003, 1301 posts, RR: 55 Reply 7, posted (4 years 8 months 11 hours ago) and read 613 times:
Thanks, Myt, I'll put that on my fridge.
Quoting 777DadandJr (Reply 5): First of all, it's not truly a virus. It's a Trojan Worm. Unlikely you will get rid of it. Happened to me a while ago. You would need to know all the file that the worm dropped in order to eradicate it, and that is unlikely.
You are going to have to end up doing a reformat and clean install.
Hey, Russ.
I recently ended up reformatting over a similar Trojan Worm, SE.dll, but found online that people were able to get rid of it "fairly easily". I just wasn't enough of a techie to understand 100% of what was going on.
I'll look into those programs you mentioned, but a clean start is still a last resort as I'm sure somebody here knows what can be done (whether or not it'll work is a whole different issue). Thanks, though!
Concord977 From United States, joined Jan 2004, 1255 posts, RR: 44 Reply 8, posted (4 years 8 months 11 hours ago) and read 605 times:
Brian,
You might already know about this, so disregard if this is old news.
Paste your HijackThis log into the window provided at this website and it will analyze every entry and offer some solutions for things that appear out of line.
(P.S. I pasted your log into the analyzer and it returned many items that are "safe but not necessary" and then it flagged the following items as "malware" ...)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:>WINDOWS>web>related.htm
777DadandJr From United States, joined Feb 2005, 1506 posts, RR: 17 Reply 9, posted (4 years 8 months 11 hours ago) and read 600 times:
Quoting Futterman (Reply 7): I recently ended up reformatting over a similar Trojan Worm, SE.dll, but found online that people were able to get rid of it "fairly easily". I just wasn't enough of a techie to understand 100% of what was going on.
Well, good luck to you Brian. I hope that will solve your problem.
Quoting Myt332 (Reply 6): Futterman, you're right shit does happen and now it's happening to you. So here's what you do Jimmy. Cut your losses, go buy XP and do an over the top install. You don't lose your files (photos etc) and you have a more stable OS thus less crap. That's the difference ok?
I don't think an overlay install of XP will do the trick. If this is a Trojan worm, the files will not be over written and what you'll end up with is a new copy of XP with a Trojan. The up side is, if you do get yourself a copy of XP, then YES, by all means, do a clean install. You will thank yourself in the morning. And BTW, you needn't buy a "full" version of XP. You can buy an upgrade version and still do a clean install without having to reinstall that piece of sh*t ME first, and save yourself $100 in the process.
Russ
My glass is neither 1/2 empty nor 1/2 full, rather, the glass itself is twice as big as it should be.
Airlinelover From United States, joined Jun 2001, 5580 posts, RR: 45 Reply 10, posted (4 years 8 months 11 hours ago) and read 593 times:
Futterman, first thing you need to do is backup and format.
Second: Go buy an UPGRADE for Win XP, then install it FRESH on your system. All it MIGHT ask for is that you put in a disc proving you have a previous version of windows.
Third- DITCH IE! Netscape or Firefox is great.
If you have any questions, email me via my profile.
Chris
Lets do some sexy math. We add you, subtract your clothes, divide your legs and multiply
Myt332 From United Kingdom (England), joined Sep 2003, 8737 posts, RR: 92 Reply 12, posted (4 years 8 months 11 hours ago) and read 588 times:
Quoting 777DadandJr (Reply 9): I don't think an overlay install of XP will do the trick.
All depends what futterman has done to his PC and what 'virus' he has this time. He sounds pretty inept so maybe you're right. Format the HD, wipe your files. Just don't ask us how to back up everything as well.
MD11Engineer From Germany, joined Oct 2003, 10405 posts, RR: 67 Reply 14, posted (4 years 8 months 9 hours ago) and read 555 times:
Change your operating system to something less virusfriendly, e.g. Linux. Ok, I´m not playing games, but I discovered that for almost every (the only exemtions are my low cost scanner, which´s manufacturer refuses to hand out certain data to the Linux crowd and some route planning software) utility I used under Windows,I could find a Linux counterpart, and usually much cheaper, if not free.
Catatonic From United Kingdom (Wales), joined Mar 2004, 1155 posts, RR: 6 Reply 15, posted (4 years 8 months 9 hours ago) and read 555 times:
Quoting Sovietjet (Reply 13): Lol my copy of XP works fine...$0 just go burn your friend's XP or just use your friend's CD it doesn't matter. Try Kaspersky antivirus too.
TUT!!! You Russians are costing poor Bill Gates a small fortune in piracy! BTW how did you get past the Product Activation?
Futterman From United States, joined Sep 2003, 1301 posts, RR: 55 Reply 18, posted (4 years 8 months 4 hours ago) and read 536 times:
I ended up going through http://www.hijackthis.de--their (English) forum is pretty damn good. I got a decently swift response and, after following some simple directions, got this thing taken care of. No reformatting whatsoever. If it means anything to anyone, this is the latest HJT log (yes, still with Millennium):
Quote: Logfile of HijackThis v1.99.1
Scan saved at 10:34:26 PM, on 4/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sponsor Message: 
From United States, joined Sep 2003, 1301 posts, 
.gif){kind=small}
From United Kingdom (England), joined Sep 2003, 8737 posts, 
.gif){kind=small}
From United Kingdom (Wales), joined Mar 2004, 1155 posts, 
From Germany, joined May 2004, 260 posts, 
From Bulgaria, joined Mar 2003, 1906 posts, 
From Christmas Island, joined Sep 2002, 1499 posts, 
Printer friendly format 
